{ "id": "421024fb-3aea-4053-afc5-54982b8b0ba9", "created_at": "2026-04-06T00:12:52.280886Z", "updated_at": "2026-04-10T13:11:37.091272Z", "deleted_at": null, "sha1_hash": "8796568bf4403f6d4221ee259d0fdfc431fb23a7", "title": "The MITRE ATT\u0026CK T1003 OS Credential Dumping Technique and Its Adversary Use", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 194918, "plain_text": "The MITRE ATT\u0026CK T1003 OS Credential Dumping Technique\r\nand Its Adversary Use\r\nBy Sıla Özeren Hacıoğlu\r\nPublished: 2022-03-23 · Archived: 2026-04-05 18:29:08 UTC\r\nObtaining credentials is critical in adversaries' attack campaigns as it allows them to access other resources and\r\nsystems in the target environment. Dumping credentials from operating systems and utilities is the most prevalent\r\ntechnique for adversaries to obtain account logins and credentials. Therefore, this technique has again secured its\r\nplace as one of the top ten most frequently used techniques by adversaries in the Red Report 2024.\r\n \r\nThe Red Report 2024\r\nThe 10 Most Prevalent MITRE ATT\u0026CK Techniques Used\r\nby Adversaries\r\nWhere are Windows OS Credentials Stored?\r\nIn a Windows operating system, credentials are stored in several places:\r\nSecurity Account Manager (SAM) database: The SAM is a protected system file located on the local\r\nmachine, which stores the hashed versions of the password for all local user accounts on the system.\r\nLocal Security Authority Subsystem Service (LSASS) memory: LSASS is a Windows process\r\nresponsible for authenticating user logins and enforcing security policies. When a user logs in, the LSASS\r\nprocess retrieves the user's credentials from the SAM database and stores them in memory for the duration\r\nof the session. \r\nNTDS.dit: NTDS.dit is a database file on domain controllers containing all of the Active Directory data.\r\nThe data in the NTDS.dit file is replicated between domain controllers in a domain or forest. If a user's\r\naccount is in Active Directory, the hashed passwords are stored in the NTDS.dit file. This allows users to\r\nauthenticate across all domain-joined machines.\r\nLocal Security Authority (LSA) Secrets: LSA secrets is a mechanism that allows storing secrets, such as\r\npasswords, in the Windows Registry. These secrets can be used to authenticate services, schedule tasks, and\r\nother tasks that require a password.\r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 1 of 17\n\nCached Domain Credentials: When a user logs into a Windows computer that is part of a domain, the\r\nuser's domain credentials are cached on the local machine so that the user can continue to access resources\r\non the network if the domain controller is unavailable. The cached credentials are typically stored in the\r\nLSASS memory and can be used to authenticate the user even if the domain controller is not reachable.\r\nCredentials Manager: Credential Manager is the built-in Windows feature that allows users to store and\r\nmanage their credentials, like passwords or certificates. These credentials will be used when a user wants\r\nto access a network resource, web page, or application that requires a username and password.\r\nGroup Policy: In certain situations, credentials may be stored in Group Policy to allow automatic login for\r\na specific user or group of users. This can be useful in cases where a user needs to access a resource that\r\nrequires a username and password, but the user is not present to enter the information manually.\r\nWhere are Linux and macOS OS Credentials Stored?\r\nIn Linux and macOS operating systems, user credentials are typically stored in the following places. It's important\r\nto note that the exact locations and names of these files may vary depending on the specific Linux distribution or\r\nmacOS version you are using.\r\n/etc/passwd: This file is used to store user information, including username, user ID (UID), group ID\r\n(GID), and home directory path.\r\n/etc/shadow: This file is used to store the password hashes and other information related to user\r\nauthentication, such as the last time the password was changed and the date on which the account will\r\nexpire. This file is only readable by the root user.\r\nPAM (Pluggable Authentication Modules): PAM is a framework that allows Linux and macOS systems\r\nto use multiple authentication methods, such as local password authentication, Kerberos, and smart cards.\r\nPAM is configured through a series of files located in the /etc/pam.d directory.\r\nNSS (Name Service Switch): This is a facility provided by the operating system that allows switching\r\nbetween different sources of information. For example, information about users, groups, and hosts. It is\r\nconfigured via the /etc/nsswitch.conf file. It can include the files /etc/passwd and /etc/shadow or an\r\nexternal database like LDAP, AD, or NIS.\r\nKerberos: Kerberos is an authentication protocol that uses tickets to establish secure connections between\r\nclients and servers. Kerberos is typically used in enterprise environments and is configured through the\r\nkrb5.conf file, usually located in the /etc directory.\r\nAdversary Use of OS Credential Dumping\r\nAfter gaining access and elevated privileges to a target system, adversaries harvest as many credentials as\r\npossible. Adversaries utilize the OS Credential Dumping technique to collect account login and password from the\r\ncompromised system's operating system and utilities. These credentials could allow threat actors to gain access to\r\nother systems and services in the network with new privileges. Adversaries use the harvested credential\r\ninformation for:\r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 2 of 17\n\naccessing restricted data and critical assets\r\nmoving laterally to other hosts in the network\r\ncreating new accounts and removing them to impede forensic analysis\r\nfiguring out password patterns and policies to harvest other credentials\r\nSub-techniques of OS Credential Dumping\r\nThere are 8 sub-techniques under the OS Credential Dumping technique in ATT\u0026CK v14:\r\nID Name\r\nT1003.001 LSASS Memory \r\nT1003.002 Security Account Manager \r\nT1003.003  NTDS\r\nT1003.004 LSA Secrets \r\nT1003.005 Cached Domain Credentials \r\nT1003.006 DCSync \r\nT1003.007 Proc Filesystem \r\nT1003.008 /etc/passwd and /etc/shadow\r\nEach of these sub-techniques will be explained in the next sections.\r\n#6.1. T1003.001 LSASS Memory\r\nWindows operating systems store the credentials of logged-in users in the Local Security Authority Subsystem\r\nService (LSASS). LSASS allows users and services to access network resources seamlessly without re-entering\r\ntheir credentials. Adversaries harvest credentials by dumping LSASS memory.\r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 3 of 17\n\nLSASS verifies users logging into a Windows system, handles password changes, and creates access tokens. To\r\nauthenticate users, the lsass.exe process stores and uses credentials in different forms, such as Kerberos tickets,\r\nreversibly encrypted plain text, LM hashes, and NT hashes. Users with SYSTEM privilege can interact with the\r\nlsass.exe process and dump its memory.\r\nAdversary Use of LSASS Memory\r\nSince LSASS memory contains valuable credentials, adversaries utilize various methods and tools to dump\r\nLSASS memory and extract credentials:\r\nMimikatz: Mimikatz is the most common tool for credential dumping. Mimikatz can extract\r\nplaintext passwords, password hashes, PIN codes, and Kerberos tickets from memory. Adversaries\r\nalso use Mimikatz to perform pass-the-hash, pass-the-ticket, and Golden tickets attacks [1].\r\ngsecdump: Gsecdump is a credential dumping tool that can harvest password hashes from LSA\r\nsecrets, Active Directory (AD), Security Account Manager (SAM), and logon sessions [2].\r\nProcDump: ProcDump is a legitimate tool that is part of the Microsoft Sysinternals suite [3].\r\nProcDump monitors applications for CPU spikes and generates a memory dump of processes.\r\nHowever, adversaries abuse ProcDump to dump LSASS memory and extract credentials from the\r\nmemory dump.\r\nWindows Task Manager: Users can create memory dumps for processes using Windows Task\r\nManager's Create Dump File feature. Adversaries with SYSTEM privilege can use this feature to\r\ndump LSASS memory.\r\nDirect System Calls and API Unhooking: Adversaries may use direct system calls to avoid\r\nsecurity controls. By executing the system calls directly, adversaries bypass Windows and Native\r\nAPI and may also bypass any user-mode hooks used by security controls. For example, Dumpert\r\ncan dump LSASS memory via direct system calls and API unhooking [4].\r\nBelow, you'll discover a list of APT groups and threat actors who are utilizing LSASS memory-dumping\r\ntechniques.\r\nFor instance, as evident in CISA's cybersecurity advisory released in September 2023 (AA23-250A), APT actors\r\nutilized ProcDump, a tool typically employed for monitoring and creating crash dumps of processes, to execute a\r\nsophisticated cyber attack [5].\r\nThey placed ProcDump in the c:\\windows\\system32\\prc64.exe directory for two key purposes: enumerating\r\nrunning processes and applications and, more crucially, dumping credentials from the LSASS. This technique\r\ndemonstrates the attackers' adeptness in repurposing legitimate system tools for malicious objectives, a tactic often\r\nemployed to blend in with normal network activities and avoid detection.\r\nAdditionally, in another CISA advisory released in March 2023 (AA23-075A), it was seen that LockBit 3.0\r\nransomware group also used Microsoft Sysinternals ProcDump to dump the contents of LSASS.exe [6]. \r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 4 of 17\n\nFollowing this, a subsequent advisory in May 2023 (AA23-136A) highlighted the actions of the BianLian\r\nransomware group, which similarly targeted the lsass.exe process but chose to create a memory dump and save it\r\nas a CSV file. \r\ncmd.exe /Q /c for /f \"tokens=1,2 delims= \" ^%A in ('\"tasklist /fi \"Imagename eq lsass.exe\" | find \"lsass\"\"') do\r\nrundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump ^%B \\Windows\\Temp\\\u003cfile\u003e.csv full\r\nThe command uses cmd.exe to list processes matching 'lsass.exe,' then employs rundll32.exe to invoke\r\ncomsvcs.dll for creating a full memory dump of LSASS into a specified file, leveraging a Windows built-in\r\nfunction for detailed process examination.\r\nDownload the Red Report - Top Ten MITRE ATT\u0026CK Techniques\r\n#6.2. T1003.002 Security Account Manager\r\nThe Security Account Manager (SAM) database stores information related to local accounts, including usernames\r\nand hashed passwords. This database resides on the local disk as a file, and adversaries use various methods to\r\naccess the SAM file and extract credentials.\r\nThe SAM is used to store credentials for local accounts. It was introduced with Windows XP and is still in use for\r\nthe latest versions of Windows. The SAM file is located in %systemroot%\\system32\\config\\SAM and is mounted\r\non the HKLM/SAM registry hive. Also, the same password hashes are stored in\r\n%systemroot%\\system32\\config\\SYSTEM, and backup copies can be found in %systemroot%\\repair directory.\r\nThe SAM database stores hashes of user passwords instead of plaintext versions. While the hash format used for\r\npassword storage changed over time, the SAM database is still used by the latest versions of Windows.\r\nLM: (Legacy systems): Introduced in 1987. While turned off by default since Windows Vista/Server 2008,\r\nusers can enable it afterward.\r\nNTLMv1: Introduced in 1993. It is an improved version of LM but still contains vulnerabilities.\r\nNTLMv2: This updated version of NTLMv1 includes additional security features, such as a\r\nchallenge/response mechanism to provide message integrity and replay protection. It's mainly used in\r\nWindows operating systems and older versions than Windows NT3.1 and Windows 2000.\r\nNTLMv2 Session Security: This is an update of NTLMv2 that includes additional security features, like\r\nsigning and sealing the messages, more robust encryption keys, and secure channel protection.\r\nKerberos: This is an industry-standard authentication protocol used in Windows operating systems.\r\nbcrypt: A more advanced password hashing algorithm designed to replace md5crypt, Blowfish-based\r\ncrypt(3) algorithm.\r\nscrypt: Another advanced password hashing algorithm, designed to be more computationally expensive\r\nthan bcrypt, better suited for usage with stronger user authentication.\r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 5 of 17\n\nSince the password is stored in a one-way format (i.e., irreversible), it is not feasible to get the original password\r\nfrom the hashed output as long as the length and complexity of the password are not susceptible to birthday\r\nattacks. \r\nA one-way hash function is a mathematical function that converts an input string of variable length into a fixed-length binary sequence. This sequence is difficult to reverse, meaning it is difficult to use the output (the hash) to\r\ndetermine the original input string. One-way hash functions are commonly used to securely store passwords and\r\nother sensitive data.\r\nAdversary Use of Security Account Manager\r\nSeveral tools can retrieve the SAM file through in-memory techniques, such as pwdumpx.exe, Gsecdump,\r\nMimikatz, and secretsdump.py.\r\nIn addition to these above, adversaries can extract the SAM from the Registry via Reg:\r\nreg save HKLM\\sam sam\r\nreg save HKLM\\system system\r\nFor instance, TrickBot's ADll module takes advantage of the \"Install from Media\" command to dump the Active\r\nDirectory database and various Registry hives to the %Temp% folder with the following command [7]. \r\nreg save HKLM\\SAM %TEMP%\\[generated-id]1.dat /y\r\nThese files are then compressed and sent back to the attackers.\r\nAnother example comes from CISA's cybersecurity advisory, which was released in December 2023 [8]. In this\r\noperation, the Russian Foreign Intelligence Service (SVR) had a specific target: their victims' Windows Registry.\r\nThey concentrated on extracting sensitive data from the SYSTEM, SAM, and SECURITY hives. To accomplish\r\nthis, they utilized the reg save command to generate copies of these hives in the C:\\Windows\\temp\\ directory,\r\nsuccessfully capturing vital system and user data.\r\nreg save HKLM\\SYSTEM \"\"C:\\Windows\\temp\\1\\sy.sa\"\" /y\r\nreg save HKLM\\SAM \"\"C:\\Windows\\temp\\1\\sam.sa\"\" /y\r\nreg save HKLM\\SECURITY \"\"C:\\Windows\\temp\\1\\se.sa\"\" /y\r\nSubsequently, PowerShell was employed to compress these files into a .zip archive, staged in the same directory.\r\npowershell Compress-Archive -Path C:\\Windows\\temp\\1\\ -DestinationPath C:\\Windows\\temp\\s.zip -Force \u0026 del\r\nC:\\Windows\\temp\\1 /F /Q\r\nThis methodical approach not only allowed them to systematically gather vital system information but also\r\nfacilitated smooth exfiltration through their backdoor capabilities, highlighting a calculated and efficient strategy\r\nfor sensitive data exfiltration.\r\nAnother credential dumping example is from the CISA's cybersecurity advisory (AA23-144A) on Volt Typhoon,\r\nwhich was released in May 2023 [9].\r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 6 of 17\n\nreg save hklm\\sam ss.dat\r\nreg save hklm\\system sy.dat\r\nThese two commands are used to export the SAM and SYSTEM hives from the Windows Registry into respective\r\nfiles, ss.dat, and sy.dat. \r\nSo far, we have seen several examples of SAM database dumping through registry manipulation. However, it is\r\nessential to note that passwords within the SAM file are not stored in cleartext but in a hashed format. And even\r\nthough hash functions are designed to be one-way, having an output makes it impossible to learn the input;\r\nhashing passwords does not guarantee a foolproof security measure. With a list of dumped valid account\r\ncredentials, adversaries can perform offline password cracking attacks to find the cleartext password by trying\r\nmany combinations of characters and comparing the resulting hashes to the stored password hash.\r\nThere are several ways to perform an offline password-cracking attack:\r\n1. Brute-Force Attacks\r\nIn this attack type, adversaries try all possible combinations of characters up to a certain length and character set.\r\nThe length and set of characters are generally defined by adversaries through gaining knowledge of the\r\norganization's password policy. It is important to note that as a password's complexity increases, brute-force\r\nattacks become significantly time-consuming and inefficient. For instance, adversaries can crack passwords with\r\n12 characters using ChatGPT hardware in 8 months [10]. However, it would take them 3000 years to crack 14-\r\ncharacter passwords with the same tools.\r\n2. Dictionary Attack\r\nIn dictionary attacks, an adversary tries a predefined list of words and phrases commonly used as passwords.These\r\nattacks can be effective, but how fast they can be achieved depends on the information about a target, such as their\r\nbirthday and birthplace, the name of their children or pet, which sports team they are a fan of, etc. In some cases,\r\nadversaries leverage hybrid attacks using brute force and dictionary attacks by trying a combination of commonly\r\nused words and randomly generated characters.\r\n3. Rainbow Table Attacks\r\nA rainbow table is a precomputed table of hash values that can be used to speed up the process of cracking\r\npasswords. A rainbow table attack works by comparing the target password hash with the hashes in the rainbow\r\ntable to see if there is a match. The corresponding password can be retrieved from the table and used to log in if a\r\nmatch is found.\r\nA significant benefit of using rainbow tables as an adversary is that they can avoid the hash generation process.\r\nFor example, if all sets of passwords of 1-8 characters, consisting of the ASCII-32-95 characters, get hashed by\r\nthe NTLM hashing algorithm, the key space would become 6,704,780,954,517,120 ≈ 2^52.6, which is\r\napproximately 460 GB. \r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 7 of 17\n\nHence, instead of trying to generate a hash of all plaintext within a specific range, attackers can directly look up\r\nthe hash in the table (some algorithms speed up the checking process) and retrieve the corresponding password.\r\n#6.3. T1003.003 NTDS\r\nThe NTDS.dit file is a database that stores information about Active Directory Domain Services (AD DS),\r\nincluding user objects, groups, and group membership. It also contains the hashed passwords for all users within\r\nthe domain, making it another juicy target from which adversaries can dump credentials.\r\nAdversary Use of NTDS \r\nAdversaries commonly leverage the following methods and tools to capture the NTDS.dit file:\r\n1. Utilizing NTDSUtil.exe\r\nThe use of ntdsutil.exe, a built-in command-line utility located in the %systemroot%\\system32\\ directory on\r\nWindows systems, is a notable method for extracting sensitive data, particularly from Active Directory\r\nenvironments. This utility, which requires administrative privileges to operate, is capable of exporting a copy of\r\nthe Active Directory database (NTDS.dit) from a Domain Controller. \r\nIt achieves this through the Install From Media (IFM) backup functionality, providing a potent tool for adversaries\r\nto access a wealth of sensitive organizational data, including user credentials and system configurations, assuming\r\nthey have gained the necessary elevated access.\r\nThreat actors often leverage the ntdsutil.exe utility to capture the NTDS.dit file.\r\nFor instance, as evident in CISA's cybersecurity advisory (AA23-319A) on Rhysida ransomware group, threat\r\nactors used the ntdsutil.exe utility to extract and dump the NTDS.dit database from the domain controller\r\ncontaining hashes for all AD users [11].\r\nOnce more, as revealed in a different CISA cybersecurity advisory (AA23-144A) issued in May 2023, the Volt\r\nTyphon APT employed the following commands to replicate the ntds.dit file and SYSTEM registry hive by\r\nutilizing ntdsutil.exe. Each of the subsequent actor commands stands as an individual example, with multiple\r\ninstances provided to illustrate variations in syntax and file paths that may be encountered in different\r\nenvironments [9].\r\nwmic process call create \"ntdsutil \\\"ac i ntds\\\" ifm \\\"create full C:\\Windows\\Temp\\pro\r\nwmic process call create \"cmd.exe /c ntdsutil \\\"ac i ntds\\\" ifm \\\"create full C:\\Windows\\Temp\\Pro\"\r\nwmic process call create \"cmd.exe /c mkdir C:\\Windows\\Temp\\tmp \u0026 ntdsutil \\\"ac i ntds\\\" ifm \\\"create full\r\nC:\\Windows\\Temp\\tmp\\\"\r\n\"cmd.exe\" /c wmic process call create \"cmd.exe /c mkdir C:\\windows\\Temp\\McAfee_Logs \u0026 ntdsutil \\\"ac i ntds\\\"\r\nifm \\\"create full C:\\Windows\\Temp\\McAfee_Logs\\\"\r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 8 of 17\n\ncmd.exe /Q /c wmic process call create \"cmd.exe /c mkdir C:\\Windows\\Temp\\tmp \u0026 ntdsutil \\\"ac i ntds\\\" ifm\r\n\\\"create full C:\\Windows\\Temp\\tmp\\\"  1\u003e \\\\127.0.0.1\\ADMIN$\\\u003ctimestamp value\u003e 2\u003e\u00261\r\n2. Leveraging Shadow Copies\r\nAdversaries exploit shadow copies for credential dumping by targeting the ntds.dit file, the primary database of\r\nActive Directory, and the SYSTEM registry hive from Windows domain controllers. The ntds.dit file, located by\r\ndefault at %SystemRoot%\\NTDS\\ntds.dit, contains crucial information like user details, group memberships, and\r\npassword hashes. The SYSTEM registry hive holds the boot key, which is essential for decrypting data in the\r\nntds.dit file. Since the ntds.dit file is typically locked during Active Directory's operation, adversaries create a\r\nVolume Shadow Copy, a snapshot of the file system, to access a copy of this locked file.\r\nThe process typically involves using commands to create a shadow copy of the volume where the ntds.dit file\r\nresides and then copies the ntds.dit file from this shadow copy to a location where it can be exfiltrated. \r\nFor example, the following commands are run by Volt Typhoon APT in their attack campaigns that were disclosed\r\nin May 2023 [9]. \r\ncmd /c vssadmin create shadow /for=C: \u003e C:\\Windows\\Temp\\\u003cfilename\u003e.tmp\r\ncmd /c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy3\\Windows\\NTDS\\ntds.dit\r\nC:\\Windows\\Temp \u003e C:\\Windows\\Temp\\\u003cfilename\u003e.tmp\r\nThese commands create a shadow copy of the C: drive and then copy the ntds.dit file from the shadow copy to a\r\ntemporary directory, logging the operations in a temporary file, often for surreptitious data access purposes.\r\n#6.4. T1003.004 LSA Secrets\r\nLocal Security Authority (LSA) Secrets are sensitive information, such as credentials and secrets, that the LSA of\r\na Windows operating system stores. The LSA is an operating system component responsible for managing\r\nsecurity-related functions, such as authentication and authorization. LSA Secrets may include various information,\r\nsuch as password hashes, security keys, and other sensitive data.\r\nLSA Secrets are stored in a protected location on the system and are typically only accessible to the operating\r\nsystem and trusted applications. The LSA uses them to perform various security-related tasks, such as\r\nauthenticating users and granting access to resources.\r\nLSA Secrets may be stored in a number of locations, including the system memory and the registry. On Windows\r\nsystems, LSA Secrets may be stored in the HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets registry key.\r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 9 of 17\n\nAdversary Use of LSA Secrets\r\nAdversaries leveraging Mimikatz for LSA Secrets extraction follow a structured approach. They use Mimikatz's\r\nlsadump::secrets command to target and extract sensitive data, including password hashes and security keys from\r\nsystem memory. This operation requires elevated privileges, typically achieved by impersonating a SYSTEM\r\ntoken with Mimikatz's privilege::debug command, as LSA Secrets are only accessible to the operating system and\r\ntrusted applications. This process is carefully executed, taking into account potential detection mechanisms.\r\n1. Initial Access with CrackMapExec\r\nAdversaries begin by gaining initial access to the target system. Using CrackMapExec, they authenticate using\r\ncompromised credentials.\r\ncrackmapexec smb \u003chost address\u003e -u \"domain_admin\" -p \"password\"\r\nThis step involves leveraging the credentials of a previously compromised domain admin.\r\n2. Elevating Privileges and Logging Output\r\nUpon running Mimikatz, their first command is to elevate privileges to manipulate system processes, using:\r\nThen, they prepare to log the output to a file, anticipating extensive data that may not be fully visible in the\r\nconsole:\r\n3. Extracting Logon Passwords and LSA Secrets\r\nWith elevated privileges, the adversaries execute the command to dump logon passwords and LSA secrets:\r\nThis process results in the extraction of LSA secrets, including plain text credentials.\r\nIf we were to provide some real-life examples, it is known that, in their operation, the Russian Foreign\r\nIntelligence Service (SVR) leveraged Mimikatz with lsadump::secrets option to dump LSA secrets from the\r\nsystem memory [8]. \r\nMoreover, in June 2023, it was revealed that the Chinese APT15 utilized the SharpSecDump tool to extract LSA\r\ncredentials from victim systems [12]. SharpSecDump, developed in .NET, is a port of Impacket's secretsdump.py,\r\nwhich is part of a widely used Python toolkit for network protocols. Its main function mirrors that of\r\nsecretsdump.py: to dump SAM and LSA secrets from Windows systems, targeting sensitive data extraction.\r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 10 of 17\n\nDownload the Red Report - Top Ten MITRE ATT\u0026CK Techniques\r\n#6.5. T1003.005 Cached Domain Credentials\r\nIn situations where a domain-joined computer encounters difficulty connecting to AD DS during a user's logon\r\nprocess, the system caches domain credentials in the registry for authentication purposes. This local caching of\r\nlogon information for domain accounts ensures that users can still access their accounts even when a connection to\r\na domain controller is unavailable during subsequent logons.\r\nThe storage mechanism for these cached credentials is referred to as DCC2, which stands for Domain Cached\r\nCredentials version 2. DCC2 serves as a security feature within the Microsoft Windows operating system,\r\nenabling the caching of domain credentials on a system. This functionality empowers users to log in to the domain\r\neven when they are not connected to the network, enhancing the usability of Windows systems. It acts as a\r\nsecondary authentication method when a connection to the domain controller cannot be established.\r\nWhen DCC2 is activated on a system, domain credentials are stored either in the SAM database or the Credential\r\nManager, depending on the Windows version in use. These cached credentials are encrypted, ensuring their\r\nsecurity, and can only be accessed by the system when a user attempts to log in to the domain. DCC2 encompasses\r\ntwo types of cached domain credentials, both of which are employed by the system for authentication purposes:\r\n1. mscache2\r\nmscache2 is a cached domain credential used by Windows systems running Windows 2000 and later. It stores the\r\npassword hash of the user's domain account, salt value, and other metadata. When a user attempts to log in to the\r\ndomain, the system uses the mscache2 credentials to authenticate the user to the domain controller.\r\n2. mcash2\r\nmcash2 (Microsoft CAched haSH) is a newer version of the mscache2 credential, and it is used by Windows\r\nsystems running Windows 8 and later. It stores the password hash of the user's domain account, additional\r\nmetadata, and a more robust encryption key.\r\nAdversary Use of Cached Domain Credentials\r\nAn adversary may use the [T1003.005] technique as part of their attack campaign to obtain cached domain\r\ncredentials and use them to gain unauthorized access to the domain or other systems on the network. An adversary\r\nmay use the following tools to extract the cached domain credentials from a compromised system:\r\nLaZagne can extract credentials from various sources, including the system memory, the Windows\r\nCredential Manager, and various configuration files. LaZagne can also extract cached credentials from a\r\ncompromised system.\r\nCachedump, Metasploit's post-exploitation module, extracts cached credentials from a compromised\r\nsystem. The cachedump module can extract cached domain credentials from the Security Accounts\r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 11 of 17\n\nManager (SAM) database and can be used to extract mscache2 and mcash2 credentials, depending on the\r\nversion of Windows.\r\nThe reg.exe is not typically used to extract cached credentials, but it may be possible to extract cached\r\ncredentials from the registry if they are stored there.\r\nsecrestdump.py is a tool used to extract secrets, including credentials, from a system. It can also extract\r\ncached credentials.\r\nMimikatz is also used by adversaries to extract cached credentials. It can extract credentials from various\r\nsources, including the system memory, the Security Accounts Manager (SAM) database, and the Windows\r\nCredential Manager.\r\nWindows Credential Editor (WCE) extracts credentials from the system memory or local storage, such as\r\nthe SAM database. Adversaries often use it to extract cached credentials.\r\nAdversaries may use many other tools to extract cached credentials from a compromised system. Some\r\nexamples include creddump, Pwdump, Fgdump, and LsaDump2.\r\n#6.6. T1003.006 DCSync\r\nDCSync is a feature in Microsoft Domain Controllers (DC) that allows replication of the Active Directory (AD)\r\ndatabase from a primary to a secondary DC, ensuring all DCs have the latest directory copy. It's commonly used\r\nby adversaries with sufficient permissions to extract sensitive information like credentials. \r\nDCSync employs the Remote Procedure Call (RPC) protocol, requiring \"Replicate Directory Changes\" permission\r\non the domain object in AD. It can replicate the entire database or specific parts, either in real-time or on a\r\nschedule. Primarily used by administrators to maintain AD database integrity and availability, DCSync is integral\r\nfor keeping DCs updated and often works alongside other replication technologies.\r\nAdversary Use of DCSync\r\nAttackers can abuse DCSync in their attack campaigns to obtain sensitive information from the AD database. An\r\nadversary can do this with sufficient permissions and credentials, using DCSync to replicate the AD database from\r\na primary DC to a secondary DC and then extracting sensitive information such as user passwords and other\r\ncredentials.\r\nThere are several ways in which attackers may abuse DCSync in their attack campaigns:\r\n1. Obtaining User Credentials\r\nAn attacker may use DCSync to replicate the AD database and extract user credentials, such as passwords, to gain\r\nunauthorized access to the system. This can be done without leaving any trace of the operation on the primary DC,\r\nmaking it difficult to detect.\r\n2. Conducting Lateral Movement\r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 12 of 17\n\nAn attacker may use DCSync to obtain credentials for other systems and services on the network to move laterally\r\nwithin the network and potentially compromise other systems.\r\n3. Escalating Privileges\r\nAn attacker may use DCSync to obtain credentials for high-privilege accounts, such as administrator accounts, to\r\nescalate their privileges on the system. This can allow them to perform actions that would otherwise be restricted\r\nto them. \r\nBelow, you are going to see the steps required to perform a DCSync attack with Mimikatz.\r\nStep 1: Compromise an Account with Replication Rights\r\nTo make this attack work, adversaries first compromise an administrative account (e.g., \"PrivUser1\") capable of\r\nreplicating data from Active Directory [13].\r\nPS\u003e .\\mimikatz.exe \"privilege::debug\" \"sekurlsa::msv\"\r\nPS\u003e .\\mimikatz.exe \"sekurlsa::pth /user:PrivUser1 /ntlm:\u003chash\u003e /domain:domain.com\"\r\nStep 2: Replicate Data from Active Directory\r\nUsing Mimikatz, they replicate credentials from Active Directory, targeting the krbtgt account:\r\nPS\u003e .\\mimikatz.exe \"lsadump::dcsync /user:DOMAIN\\krbtgt\"\r\nStep 3: Execute a Golden Ticket Attack\r\nWith the krbtgt hash, they generate a Golden Ticket for extensive access to Active Directory:\r\nPS\u003e .\\mimikatz.exe \"kerberos::golden /domain:domain.com /sid:\u003cSID\u003e /krbtgt:\u003ckrbtgt_hash\u003e /user:Administrator\r\n/id:500 /ptt\"\r\nFinally, tools like PsExec may be used for remote execution:\r\nPS\u003e PSExec.exe \\\\fileserver1 powershell.exe\r\nThis approach allows attackers to escalate privileges and achieve broad network access, underscoring the need for\r\nstrong security protocols.\r\n#6.7. T1003.007 Proc Filesystem\r\nThe proc filesystem (procfs) is a virtual filesystem in the Linux kernel that provides information about processes\r\nand other system information. It is a pseudo-filesystem, meaning it does not exist on a physical storage device but\r\nrather is generated dynamically by the kernel as needed. Adversaries may attempt to use the procfs to obtain\r\ncredentials and other sensitive information from a system. \r\nThe procfs is typically mounted in the /proc directory, and it consists of a series of virtual files and directories that\r\nprovide information about various aspects of the system. Some examples of the types of information that can be\r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 13 of 17\n\nfound in the procfs include:\r\nProcess information: The /proc directory contains a subdirectory for each running process on the system,\r\nwith a numeric name corresponding to the process ID (PID). These directories contain virtual files with\r\ninformation about the process, such as its command line arguments, current working directory, and open\r\nfile descriptors.\r\nKernel information: The procfs also contains virtual files and directories with information about the\r\nkernel and its configuration. This can include information about the version of the kernel, the system\r\narchitecture, and the loaded kernel modules.\r\nHardware information: The procfs contains virtual files with information about the hardware on the\r\nsystem, such as the processor type and model, the amount of memory installed, and the configured\r\ninterrupts and I/O ports.\r\nAdversary Use of Proc Filesystem\r\nThe proc filesystem (procfs) can potentially be used by attackers to obtain credentials and other sensitive\r\ninformation about the operating system and its processes. There are several ways in which attackers may use the\r\nprocfs for this purpose:\r\n1. Extracting Command-line Arguments\r\nThe procfs contains virtual files with the command-line arguments of each running process on the system. An\r\nattacker may attempt to read these files in order to obtain any sensitive information that may have been passed as\r\ncommand-line arguments, such as passwords or API keys.\r\n2. Reading Environment Variables\r\nThe procfs contains virtual files with the environment variables of each running process. An attacker may attempt\r\nto read these files in order to obtain sensitive information that may be stored in environment variables, such as\r\ncredentials for external services or database servers.\r\n3. Obtaining Process Information\r\nThe procfs contains virtual files with information about the processes running on the system, including the current\r\nworking directory, open file descriptors, and other details. An attacker may use this information to gather\r\nintelligence about the system and potentially identify processes that may be of interest.\r\n4. Reading Kernel Information\r\nThe procfs contains virtual files and directories with information about the kernel and its configuration. An\r\nattacker may attempt to read these files in order to obtain information about the version of the kernel, the system\r\narchitecture, and the loaded kernel modules. This information may be used to tailor an attack to the specific\r\nsystem and potentially exploit known vulnerabilities.\r\nAn adversary may use the following tools to extract credentials using the proc file system:\r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 14 of 17\n\nMimiPenguin is an open-source tool capable of dumping process memory and harvesting passwords and\r\nhashes by searching for text strings and regular expressions. \r\nLaZagne can extract credential information from process memory with the memorydump.py module. It\r\nincludes regex patterns for passwords of common websites, such as Gmail, Dropbox, Salesforce, PayPal,\r\nTwitter, Github, and Slack. Lazagne uses these patterns to dump cleartext passwords from the browser's\r\nmemory. Its mimipy.py module is a Python port of MimiPenguin. \r\nProcdump for Linux is a Linux reworking of the classic ProcDump tool from the Sysinternals suite of\r\ntools for Windows. It provides Linux developers with a straightforward method for generating core dumps\r\nof their applications in response to performance triggers. Naturally, adversaries utilize this tool to dump\r\nprocess memory and extract credentials from dumped memory.\r\n#6.8. T1003.008 /etc/passwd and /etc/shadow\r\nThe /etc/passwd and /etc/shadow files store information about user accounts on a Unix-like system. While the\r\n/etc/passwd file stores user account information, the /etc/shadow file consists of password hashes. MD5, SHA-256, and SHA-512 are hash algorithms used for these passwords. The contents of these files are dumped by\r\nadversaries for offline password cracking.\r\nThe /etc/passwd file stores information about each user account, including the username, user ID (UID), group ID\r\n(GID), and home directory. It does not contain the user's password, however. The /etc/shadow file stores the\r\nhashed password for each user account, along with other information, such as the password expiration date and\r\nany password reset flags. This file is typically readable only by the root user, as it contains sensitive information.\r\nAdversary Use of /etc/passwd and /etc/shadow\r\nAdversaries may attempt to access or modify the contents of the /etc/passwd and /etc/shadow files on a Unix-like\r\nsystem in order to compromise user accounts and gain unauthorized access to the system. There are several ways\r\nin which attackers may use these files for malicious purposes:\r\n1. Adding new user accounts\r\nAn attacker may add a new user account to the /etc/passwd file with a known or easily guessable password. This\r\nwould allow them to log in to the system using the new account and potentially escalate their privileges.\r\n2. Modifying existing accounts\r\nFor example, an attacker may modify an existing user account in the /etc/passwd file by changing the home\r\ndirectory or group membership to escalate their privileges. They may also modify the user's password in the\r\n/etc/shadow file by changing it to a known password or setting it never to expire.\r\n3. Gaining access to encrypted passwords\r\nAn attacker may attempt to gain access to the /etc/shadow file in order to obtain the encrypted passwords for\r\noffline cracking. They may then use tools such as John the Ripper or Hashcat to try to crack the passwords and\r\ngain access to user accounts.\r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 15 of 17\n\n4. Using these files as part of a larger attack\r\nAn attacker may use the /etc/passwd and /etc/shadow files in combination with other tactics and techniques as part\r\nof a larger attack against a system, such as moving laterally within the network.\r\nTools Used by Adversaries to Dump Credentials from /etc/passwd and /etc/shadow Files\r\nChntpw\r\nThis versatile utility, originally designed for resetting passwords on Windows systems, can also be repurposed to\r\ndump password hashes from Unix/Linux systems. When used in a Unix-like environment, Chntpw can access and\r\nread the contents of /etc/passwd and /etc/shadow. The command syntax required for this tool is as follows.\r\nchntpw -E /etc/passwd \u003e passwd_hashes.txt\r\nchntpw -S /etc/shadow \u003e\u003e passwd_hashes.txt\r\nUnshadow\r\nThe Unshadow tool is a specialized utility in Linux environments designed to merge the contents of the\r\n/etc/passwd and /etc/shadow files. Combining these two files, Unshadow creates a single file with usernames and\r\nassociated hashed passwords. The command required for this tool is as follows [14].\r\nunshadow /etc/passwd /etc/shadow \u003e password_file\r\nLaZagne\r\nLaZagne stands out as a versatile credential extraction tool, capable of retrieving sensitive information from\r\nvarious systems, including Unix-like systems. Specifically, on Linux, its shadow.py module, found under the\r\n/Linux/lazagne/softwares/sysadmin directory, is adept at accessing credential data from the /etc/shadow file. This\r\nfile is critical as it contains hashed passwords of system users. The command used in this technique is as follows\r\n[15].\r\nLaZagne's capability extends to performing dictionary attacks on several hash formats stored in /etc/shadow,\r\nincluding MD5, Blowfish, SHA-256, and SHA-512. This functionality allows it to potentially crack and reveal\r\nuser passwords, assuming it operates with the necessary root privileges.\r\nReferences\r\n[1] “GitHub - ParrotSec/mimikatz,” GitHub.  https://github.com/ParrotSec/mimikatz\r\n[2]“gsecdump.”  https://jpcertcc.github.io/ToolAnalysisResultSheet/details/gsecdump.htm\r\n[3]“procdump.”  https://jpceahttps://learn.microsoft.com/en-us/sysinternals/downloads/procdump\r\n[4] “GitHub - outflanknl/Dumpert: LSASS memory dumper using direct system calls and API unhooking,”\r\nGitHub.  https://github.com/outflanknl/Dumpert\r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 16 of 17\n\n[5] “Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475,” Cybersecurity and\r\nInfrastructure Security Agency CISA.  https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a\r\n[6] “StopRansomware: LockBit 3.0,” Cybersecurity and Infrastructure Security Agency CISA. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\n[7] L. Abrams, “TrickBot Now Steals Windows Active Directory Credentials,” BleepingComputer, Jan. 23, 2020. \r\nhttps://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/\r\n[8] “Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally,” Cybersecurity\r\nand Infrastructure Security Agency CISA.  https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\r\n[9]“People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection,”\r\nCybersecurity and Infrastructure Security Agency CISA.  https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a\r\n[10] “Hive Systems Password Table,” Hive Systems.  https://www.hivesystems.io/password-table\r\n[11] “StopRansomware: Rhysida Ransomware,” Cybersecurity and Infrastructure Security Agency CISA. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a\r\n[12] B. Toulas, “Chinese APT15 hackers resurface with new Graphican malware,” BleepingComputer, Jun. 21,\r\n2023.  https://www.bleepingcomputer.com/news/security/chinese-apt15-hackers-resurface-with-new-graphican-malware/\r\n[13]S. Özeren, “DCShadow Attack Explained - MITRE ATT\u0026CK T1207,” Aug. 22, 2023. \r\nhttps://www.picussecurity.com/resource/blog/dcshadow-attack-explained-mitre-attack-t120\r\n[14]“Unshadow Command Examples in Linux.”  https://www.thegeekdiary.com/unshadow-command-examples-in-linux/\r\n[15]H. C. Yuceel, “The MITRE ATT\u0026CK T1003 OS Credential Dumping Technique and Its Adversary Use,” Mar.\r\n23, 2022.  https://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nSource: https://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\r\nPage 17 of 17\n\ndemonstrates employed the attackers' adeptness to blend in with normal in repurposing network activities legitimate and avoid system tools detection. for malicious objectives, a tactic often\nAdditionally, in another CISA advisory released in March 2023 (AA23-075A), it was seen that LockBit 3.0\nransomware group also used Microsoft Sysinternals ProcDump to dump the contents of LSASS.exe [6].\n Page 4 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use" ], "report_names": [ "the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434372, "ts_updated_at": 1775826697, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8796568bf4403f6d4221ee259d0fdfc431fb23a7.pdf", "text": "https://archive.orkl.eu/8796568bf4403f6d4221ee259d0fdfc431fb23a7.txt", "img": "https://archive.orkl.eu/8796568bf4403f6d4221ee259d0fdfc431fb23a7.jpg" } }